Get Audit Management Log

Cortex Xpanse REST API
post /public_api/v1/audits/management_logs/

Get audit management logs.
- Response is concatenated using AND condition (OR is not supported).
- Maximum result set size is 100.
- Offset is the zero-based number of incidents from the start of the result set.

Request headers
authorization
String
required
api-key
Example: {{api_key}}
x-xdr-auth-id
String
required
api-key-id
Example: {{api_key_id}}
Body parameters
required
request_dataObject
filtersArray
[
fieldString (Enum)
Allowed values:"email""type""sub_type""result""timestamp""audit_id"
operatorString (Enum)
Allowed values:"in""neq""eq""lte""gte"
valueInteger
Free-Form object
]
search_fromInteger
search_toInteger
sortObject
fieldString (Enum)
Allowed values:"sub_type""result""timestamp""audit_id""type"
keywordString (Enum)
Allowed values:"ASC""asc""DESC""desc"
Free-Form object
use_page_tokenBoolean
next_page_tokenString

This attribute is only returned if use_page_token is provided in the request with value true

Free-Form object
Free-Form object
REQUEST BODY
{ "request_data": { "search_from": 0, "next_page_token": "next_page_token", "filters": [ { "field": "email", "value": 0, "operator": "in" }, { "field": "email", "value": 0, "operator": "in" } ], "sort": { "field": "timestamp", "keyword": "desc" }, "search_to": 0, "use_page_token": true } }
CURL
curl -X 'POST'
-H 'Accept: application/json'
-H 'Content-Type: application/json'
-H 'authorization: {{api_key}}' -H 'x-xdr-auth-id: {{api_key_id}}'
'https://api-}/public_api/v1/audits/management_logs/'
-d '{ "request_data" : { "search_from" : 0, "next_page_token" : "next_page_token", "filters" : [ { "field" : "email", "value" : 0, "operator" : "in" }, { "field" : "email", "value" : 0, "operator" : "in" } ], "sort" : { "field" : "timestamp", "keyword" : "desc" }, "search_to" : 0, "use_page_token" : true } }'
Responses

Successful response

Body
replyObjectrequired
total_countInteger
result_countInteger
dataArray
[
AUDIT_IDInteger
AUDIT_OWNER_NAMEString
AUDIT_OWNER_EMAILString
AUDIT_ASSET_JSONObject
AUDIT_ASSET_NAMESString
AUDIT_HOSTNAMEString
AUDIT_RESULTString
AUDIT_REASONString
AUDIT_DESCRIPTIONString
AUDIT_ENTITYString (Enum)
Allowed values:"LIVE_TERMINAL""RULES""RULES_EXCEPTIONS""AUTH""RESPONSE""INCIDENT_MANAGEMENT""ALERT_MANAGEMENT""INCIDENT_TIMELINE_EVENT""ENDPOINT_MANAGEMENT""ENDPOINT_GROUPS""ALERT_WHITELIST""PUBLIC_API""DISTRIBUTIONS""STARRED_INCIDENTS""POLICY_PROFILES""DEVICE_CONTROL_PROFILES""DEVICE_CONTROL_POLICY""PROTECTION_PROFILES""DEVICE_CONTROL_PROFILE""HOST_FIREWALL_PROFILE""HOST_DISK_ENCRYPTION_PROFILE""POLICY_RULES""PROTECTION_POLICY""DEVICE_CONTROL_TEMP_EXCEPTIONS""DEVICE_CONTROL_GLOBAL_EXCEPTIONS""DEVICE_CONTROL_CUSTOM_DEVICE""GLOBAL_EXCEPTIONS""MSSP""REPORTING""DASHBOARD""BROKER_API""BROKER_VM""MTH""MDR""ALERT_NOTIFICATIONS""INTEGRATIONS""QUERY""SCRIPT_EXECUTION""ALERT_RULES""COLLECTION""API_KEY""EDL""VA_RESCAN_ENDPOINT""HI_RESCAN_ENDPOINT""REMEDIATION""INGEST_DATA""LICENSING""AGENT_CONFIGURATION""PERMISSIONS""SCORING_RULES""LAYOUT_RULES""PLAYBOOK_TRIGGERS""FEATURED_ALERT_FIELDS""SYSTEM""TENANT_TAKEOVER""SCOUTER_POLICY""SCOUTER_PROFILE""SCOUTER_GROUPS""ALLOWED_DOMAINS""QUERY_LIBRARY""TENANT_CONFIGURATION""SCOUTER_CONFIGURATION""HOST_FIREWALL""XIF""XDM""ACTION_CENTER""XCLOUD_INTEGRATION""DATASETS""XSOAR""SECURITY_SETTINGS""ALERT_EXCLUSION""INDICATOR_RULES""EVENT_FORWARDING""ASSET_INVENTORY""SERVER_SETTINGS""ASSET_ROLES""CUSTOM_FIELDS""AUTOMATION_RULES""AGENT_EXCEPTION_RULES""REMEDIATION_PATH_RULES"
AUDIT_ENTITY_SUBTYPEString
AUDIT_SESSION_IDString
AUDIT_CASE_IDString
AUDIT_INSERT_TIMEInteger
AUDIT_SEVERITYString
AUDIT_LINKString
AUDIT_SOURCE_IPString
AUDIT_USER_AGENTString
AUDIT_USER_ROLESArray[string]
Free-Form object
]
Free-Form object
Free-Form object
RESPONSE
{ "reply": { "total_count": 0, "result_count": 0, "data": [ { "AUDIT_ID": 0, "AUDIT_OWNER_NAME": "AUDIT_OWNER_NAME_example", "AUDIT_OWNER_EMAIL": "AUDIT_OWNER_EMAIL_example", "AUDIT_ASSET_JSON": {}, "AUDIT_ASSET_NAMES": "AUDIT_ASSET_NAMES_example", "AUDIT_HOSTNAME": "AUDIT_HOSTNAME_example", "AUDIT_RESULT": "AUDIT_RESULT_example", "AUDIT_REASON": "AUDIT_REASON_example", "AUDIT_DESCRIPTION": "AUDIT_DESCRIPTION_example", "AUDIT_ENTITY": "LIVE_TERMINAL", "AUDIT_ENTITY_SUBTYPE": "AUDIT_ENTITY_SUBTYPE_example", "AUDIT_SESSION_ID": "AUDIT_SESSION_ID_example", "AUDIT_CASE_ID": "AUDIT_CASE_ID_example", "AUDIT_INSERT_TIME": 0, "AUDIT_SEVERITY": "AUDIT_SEVERITY_example", "AUDIT_LINK": "AUDIT_LINK_example", "AUDIT_SOURCE_IP": "AUDIT_SOURCE_IP_example", "AUDIT_USER_AGENT": "AUDIT_USER_AGENT_example", "AUDIT_USER_ROLES": [ "AUDIT_USER_ROLES_example" ] } ] } }

Bad Request. Got an invalid JSON.

Body
replyObject

The query results upon error.

Free-Form object
RESPONSE
{ "reply": {} }

Unauthorized access. An issue occurred during authentication. This can indicate an incorrect key, id, or other invalid authentication parameters.

Body
replyObject

The query results upon error.

Free-Form object
RESPONSE
{ "reply": {} }

Unauthorized access. User does not have the required license type to run this API.

Body
replyObject

The query results upon error.

Free-Form object
RESPONSE
{ "reply": {} }

Forbidden access. The provided API Key does not have the required RBAC permissions to run this API.

Body
replyObject

The query results upon error.

Free-Form object
RESPONSE
{ "reply": {} }

Unprocessable Entity

Body
codeInteger

Error code

statusString

Error name

messageString

Error message

errorsObject

Errors

RESPONSE
{ "code": 0, "status": "status_example", "message": "message_example", "errors": {} }

Internal server error. A unified status for API communication type errors.

Body
replyObject

The query results upon error.

Free-Form object
RESPONSE
{ "reply": {} }